docs: add initial architecture documentation

docs/security.md

@@ -1,16 +1,13 @@
 # Security
 
-Describe security assumptions and controls.
+AzioneLab security assumptions and controls are documented in [security-notes.md](security-notes.md).
 
-Include:
+The initial security model covers:
 
-- authentication;
-- authorization;
-- network exposure;
-- TLS/certificates;
-- secrets management;
-- logging of sensitive data;
-- container privileges;
-- filesystem permissions;
-- dependency management;
-- relevant ADRs.
+- public website access;
+- authenticated administration and check-in;
+- reservation privacy;
+- opaque token handling;
+- QR code privacy;
+- server-side capacity validation;
+- deployment and logging assumptions.